tevador / seraphis-pq.md
This draft presents post-quantum mitigations for Monero's next transaction protocol Seraphis. These mitigations are "zero-cost" in the sense that they only involve changes to the way private keys and blinding factors are calculated, which is transparent to blockchain verifiers. Mitigated keys will be compatible with a future hard-fork that can be put in place to ensure monetary soundness and security of the protocol even against a quantum computer.
While these mitigations do not prevent a quantum adversary from breaking the privacy of past transactions, they protect Monero from a total collapse that would result from an undetectable money supply inflation or the theft of users' funds.
In 2020, Monero performed a post-quantum security audit that confirmed severe vulnerabilities of the transaction protocol against quantum algorithms [1]. In descending order of severity, a quantum adversary (QA) would be able to:
While the audit mostly focused on Monero's current transaction protocol RingCT, the above issues also apply to the next transaction protocol Seraphis [2]. In addition, Seraphis is also vulnerable to a double-spending attack because its key images are not perfectly bound to the output keys. Double-spending would also enable a QA to undetectably inflate the money supply.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25699392/DSC08596_processed.jpg)
